It’s May the fourth, which for Star Wars fans means yet another excuse to re-watch The Force Awakens and try to come up with more outlandish theories about Rey’s parentage, where Maz Kanata got Luke’s lightsaber from, and why Han had to die. (Oh yes – spoiler alert. Sorry.) In all the thousands of words written about the new film, however, there’s one area that has been unfairly neglected, or so we think: the implications of the First Order’s poor information security and management system processes. May the fourth be with you…
In case you’ve forgotten (or muddled it with Episode IV, whose plot it mirrors), Episode VII relates the tale of a former sanitation operative on the dark side’s new big gun planet, Starkiller Base, who didn’t really enjoy the violence inherent in his new job role and quit on his first day as a Stormtrooper, having failed to fire a single shot. Like many a disgruntled employee, he left a certain amount of destruction in his wake: he helped an important prisoner escape, nicked a TIE fighter, crashed on a nearby planet, befriended a girl and a droid with whom he nicked another, bigger, ship, met a walking carpet and a wisecracking smuggler who took him to a bar where had a fight with some ex-colleagues he ran into, and then remembered that he had a lot of information about his former employers with which he could help his new friends blow up his old workplace. Or something like that.
But what would it have been like if Supreme Leader Snoke had insisted that General Hux implement a risk-based information security management system at the First Order’s base?
For starters, privileged access management policies would have prevented a former cleaner from having vital security information about the organisation’s most important assets in the first place, and a formal leaver’s policy would have ensured that the moment FN-2187 lay down his blaster and became Finn, all access to First Order security systems would have been revoked.
More important than this, a proper attitude to patch management and software updates would have ensured that the legacy systems left over from the Death Star would have been retired and replaced by suitable modern alternatives. Furthermore, a business continuity management system (BCMS) would have enabled the First Order to prepare for unforeseen incidents and return to normal operations as soon as possible after a disaster.
Meanwhile, on Earth…
Picking over plot details is obviously silly – it’s just a film – but the implications of poor information security are damaging enough in the real world. Fail to keep on top of your security systems, and you leave yourself vulnerable to attack. Subscribe to our Daily Sentinel email for the latest information security stories and to see how you can protect your organisation.